Searching public hacker databases to keep your passwords safe
June 25, 2011 11:32 AM   Subscribe

Is it really working? It takes no time at all to search.
posted by Brocktoon at 11:35 AM on June 25, 2011

Seems to me it would be a great way to dupe people to provide their passwords.
posted by prodigalsun at 11:36 AM on June 25, 2011 [24 favorites]

Yeah it seems to be working. One of my email addresses was compromised in the gawker pw leak and it showed up positive when I typed it in.
posted by SirOmega at 11:36 AM on June 25, 2011 [2 favorites]

The description is a bit wrong -- it checks email addresses that are known to have compromised passwords. You never give them your password.

Typing your actual password in to a site to check if it's been compromised would be staggeringly stupid. Of course, it would be kind of funny to make such a site and see what happens...
posted by miyabo at 11:38 AM on June 25, 2011 [8 favorites]

So it's just a email harvesting service, then? ;)
posted by Foci for Analysis at 11:43 AM on June 25, 2011 [4 favorites]

Hackers go to XFactor? Wow.
posted by stormpooper at 11:44 AM on June 25, 2011

It says my email address has been compromised 1 time, back in December. What does this mean? How can they tell?
posted by KokuRyu at 11:47 AM on June 25, 2011

I think they compare your email to known lists of emails/passwords that have been hacked and if it shows up on the link then it was hacked and the list was released.
posted by SpaceWarp13 at 11:51 AM on June 25, 2011

What does this mean? How can they tell?

I'm guessing they compare entered email addresses with this list of material about compromised passwords. (Linked to in the FPP as the source list.)
posted by hippybear at 11:51 AM on June 25, 2011 [1 favorite]

>It says my email address has been compromised 1 time, back in December. What does this mean? How can they tell?

Actually, I get it now... The email address in question was tied to the Gawker data breach back in December. Seems unlikely that it was hacked (although I did get locked out of LinkedIn for a month because of it!)
posted by KokuRyu at 11:52 AM on June 25, 2011

You guys just give me your password and I'll see if it is compromised.
....



....



.....

Spoiler: it is now
posted by Potomac Avenue at 11:53 AM on June 25, 2011

Yeah, looks like mine showed up in the Gawker release.
posted by brundlefly at 11:53 AM on June 25, 2011

Seems to me it would be a great way to dupe people to provide their passwords.

I wouldn't have posted it if I wasn't sure it was legit.

The description is a bit wrong -- it checks email addresses that are known to have compromised passwords. You never give them your password.

Thanks, I've asked the mods to change my post.
posted by The Devil Tesla at 11:56 AM on June 25, 2011 [1 favorite]

And here's 1Password. YAY PASSWORD MANAGERS!
posted by The Devil Tesla at 11:59 AM on June 25, 2011 [1 favorite]

But wasn't LastPass hacked last month too?
posted by elizardbits at 12:00 PM on June 25, 2011

Or PasswordSafe because it was started by Bruce Schneier. Apparently KeePass is pretty good too.

Since I've started using a password manager I don't think I ever use the same password anymore (except for some mandatory registration things where I won't really use the account more than once or so anyway). With all these breaches happening using passwords in more than one place is a really bad idea.
posted by bjrn at 12:05 PM on June 25, 2011 [1 favorite]

I wouldn't have posted it if I wasn't sure it was legit.

How are you sure it is legit? It could be harvesting email addresses.
posted by DU at 12:09 PM on June 25, 2011

But wasn't LastPass hacked last month too?

Hacked is a strong word for what happened. Their security team noticed an anomalous amount of traffic that couldn't be explained. They reacted conservatively by asking people to change their master passwords in case they were easy to guess due to the very small probability that one or two of their customers could have had encrypted data in the wild, which would of course be useless without that master password in the first place.

Overall, lastpass does an excellent job with security by the design of the system. No intrusions are going to be prevented 100%, so it's nice to know they have a system that's resilient even if they suffer an intrusion.
posted by odinsdream at 12:13 PM on June 25, 2011 [2 favorites]

It feels legit, man!
posted by ryanrs at 12:14 PM on June 25, 2011

How are you sure it is legit? It could be harvesting email addresses.

Mostly because the site seems through and, if it is a scam, they sure did con a lot of people into thinking it's legit. I'll admit I was duped if someone comes up with evidence that it was shady, but I'm sure enough to put my own e-mail into it.
posted by The Devil Tesla at 12:23 PM on June 25, 2011

How are you sure it is legit? --- I know he's got a few very vocal detractorss here, but for what it's worth, Steve Gibson mentioned this site on his podcast, Security Now, this week, and he gave it his seal of approval.
posted by crunchland at 12:25 PM on June 25, 2011

Mostly because the site seems through

/facepalm
posted by ryanrs at 12:29 PM on June 25, 2011 [1 favorite]

It could be harvesting email addresses.

Do people with bad intentions still go out of their way to harvest e-mail addresses? Is there any point to such an activity any more?
posted by Western Infidels at 12:32 PM on June 25, 2011 [1 favorite]

Of course, this is not very helpful if you follow the principle of using a different e-mail address for every site you sign up to, so if you start getting ads at that address you'll know who sold it.

Foiled by my own planning.
posted by subbes at 12:41 PM on June 25, 2011 [1 favorite]

But with the Gawker breach, didn't they just get your GAWKER password? (Which, for me, was a randomly-generated string of letters from when I had to reset it one time.) Mine was compromised in the Gawker breach as well, but that password isn't tied to my E-MAIL password ... that doesn't make any sense.
posted by Eyebrows McGee at 12:42 PM on June 25, 2011

I disagree that LastPass is a really great system, though of course it's way better than just using the same password for everything. But I've restated the hoary things about LastPass a number of times on this site so I'll shut up now :).

I use (Mefi's own) Nic Wolff's password hasher (saved to a file on each of my own machines of course).
posted by miyabo at 12:44 PM on June 25, 2011

Could someone explain the anxiety over someone knowing your email address? Because my reaction right now is, "Oh no, they might send me something which I promptly discard."
posted by indubitable at 12:55 PM on June 25, 2011 [1 favorite]

Because my reaction right now is, "Oh no, they might send me something which I promptly discard."

Replace "something" with "a quadrillion things" and you begin to see the issue.
posted by The Devil Tesla at 1:05 PM on June 25, 2011 [3 favorites]

But with the Gawker breach, didn't they just get your GAWKER password? (Which, for me, was a randomly-generated string of letters from when I had to reset it one time.) Mine was compromised in the Gawker breach as well, but that password isn't tied to my E-MAIL password ... that doesn't make any sense.

Well yes. But you have to realize that between 20-50% of any userbase (even people who should know better, like spies, bank managers, and computer security experts) follow the path of least resistance and reuse passwords for both trivial and critical systems. So yes, in both the Gawker and EBGary cases the "hackers" used recovered passwords to get access to other systems.
posted by KirkJobSluder at 1:10 PM on June 25, 2011

Note, this only pulls up lists of known publically released databases - it doesn't include, for example, the Sony PS3 breach. I know my account was leaked that way, but this site says I'm fine.

But wasn't LastPass hacked last month too?

No. Their system monitoring picked up a very small amount of internet traffic they couldn't account for from a non-critical system. As a paranoid precaution - it was big enough for only a couple of password databases - they forced all users to either change their master password and do email verification, or mark they were confident it was a strong password to continue using the system.

In general, it's pretty much impossible for lastpass to be hacked. The way it works, your master password is one-way-hashed locally, and that hash it used, in combination with your email address, to upload and download your password database. The master password is used, again entirely locally, to decrypt the database, and then allow it's use via the browser plugin (if you use the web-based login, it's actually doing all the work locally in javascript). You set how quickly the authorization to do so expires, so every time your browser closes for example is the default I think. You also need to enter it every time to pull out a password in cleartext, or alter any settings - all of which is done locally and then synced.

Even assuming they were completely hacked, and all the stored databases were completely stolen, along with the hashed passwords, that still doesn't allow them to get access to your passwords; the hash algorithm was already strong so it's very hard to get back the original password even if it is very weak. If it's strong, it's basically mathematically impossible, i.e. 10's of thousands of years per password. They've now beefed up the hash method, to make it slower to test passwords against the hash, making even extremely weak master passwords (i.e. "cat") virtually impossible to recover in anything like a practical timeframe. And without the master password, even the hash and database combined are useless as you simply can't decrypt the database.

This also protects against someone man-in-the-middling you on a untrusted wireless connection; they could only get the hash and database if they happen to catch you during an update sync - which you can also turn off temporarily or permanently - and without the master password, they're still stuffed.

If you're extra paranoid, you can use a two-factor authentication method, either a yubikey or printed chart of numbers, such that untrusted computers need that in addition to the master password to decrypt the database.

In many ways, lastpass is just as strong, or stronger, than entirely offline password databases such as 1pass or keepass. Not that there's anything wrong with those at all - if they suit your needs, and you don't NEED the ability to keep your password database in sync between multiple computers and/or tablet or phone then they're very good and extremely secure.

On thing I do like about lastpass; it associates email and password for a given site; I tend to use a few different ones, especially as some accounts go back many years, so knowing which email account/login name is used is often harder than the password!

If you're happy having a system for generating unique strong passwords, then also fair enough. Me, I use lastpass to store all those throw-away passwords, such as for metafilter, as entirely random long-string passwords, and rely on the lastpass browser plugin autofill on the computers I use. I keep a few passwords, such as my banking, paypal, work, steam and gmail passwords entirely in my head as unique strong ones, but that's mostly because I use them where lastpass doesn't reach easily, on non-browser apps on my android (the app does work, but it's not perfect). If any one service gets breached in future, it really doesn't matter as no password is shared, something I did get bitten with by the Sony debacle - it wasn't shared with anything actually important, but it could still have been very annoying, so I changed everything pre-emptively and dumped them all in lastpass.

The key thing, no matter how you achieve it, is not to share passwords between services, and the important ones with money and/or your email should all be strong and unique.
posted by ArkhanJG at 1:20 PM on June 25, 2011 [9 favorites]

You guys just give me your password and I'll see if it is compromised.

12345
posted by furiousxgeorge at 1:23 PM on June 25, 2011

Hmm, I notice 1password now syncs via dropbox account for multiple devices. While that's fine, as the 1password database is secure (and it's a good way to keep in sync), and the same goes for keepass dropbox users, don't store anything important that isn't indepedantly encrypted in dropbox.

Dropbox have basically admitted that they can, and do decrypt dropbox folders, as they all have the same backdoor key. It's how they do the deduplication, so that if you upload a file someone else has already uploaded, it just puts it in your dropbox without actually having to upload it. They also have a backdoor they can use on their system at the request of law enforcement.

Personally, I've switched to wuala for file-syncing purposes for that reason.
posted by ArkhanJG at 1:31 PM on June 25, 2011 [1 favorite]

Look, just go to google and type in your email address and your most commonly-used password. You'll immediately see lists of compromised passwords. I've been contacted by three different benevolent individuals to tell me this. It is not hard to do.
posted by craniac at 1:54 PM on June 25, 2011

hunter2 4eva
posted by babbyʼ); Drop table users; -- at 3:24 PM on June 25, 2011

Ah, so that's why my Gmail got locked down and I was forced to fill in a bunch of CAPTCHAs then switch to two factor auth (which is pretty cool, and something I should really have switched on when it launched).

If I'd known that was due to the recent Mt. Gox incident, I could've avoided changing passwords on hundreds of sites. (Needless to say, I didn't give Mt Gox the same passoword I use at Google!)
posted by jack_mo at 3:38 PM on June 25, 2011

So I just checked out 1Password and as far as I can tell, it throws a bookmarklet onto my browser that I can click whenever I'm on a login site that I'm already a member of.

How on earth is this secure? If my computer gets stolen or accessed the person needs only to click a button on any site and they're now logged in. This is more secure than me memorizing one password and not keeping it anywhere but in my head?
posted by dobbs at 4:21 PM on June 25, 2011

dobbs: I don't know about whether there's a bookmarklet, but 1Password has various extensions for Chrome, Firefox, Safari, etc, that require you to enter your 1Password master password to unlock the individual site passwords. So, no, a random person cannot just do that.
posted by adrianhon at 4:27 PM on June 25, 2011

adrianhon, I downloaded and installed it. I made a profile in it for Metafilter and then I did this:

1. Quit 1Password
2. Logged out of MeFi
3. Quit Safari
4. Opened Safari
5. Went to MetaFilter's Login page
6. Clicked the 1P button on Safari
7. 1Password logged me in
8. I left this comment.

I was never prompted for my master password after creating it. I'm not asked for it again unless I open 1Password.

So, yeah, I don't understand this.
posted by dobbs at 4:35 PM on June 25, 2011

The one thing I can think of is that by default, 1Password does not require you to enter your master password every single time - instead, it will only do this after 20 minutes of inactivity. Of course, it's possible to change this to any number of minutes, or you can completely disable automatic unlock so that it prompts you for your password for every single use.
posted by adrianhon at 4:38 PM on June 25, 2011

Ah, that was it. Thanks, adrianhon. Completely my mistake.
posted by dobbs at 4:50 PM on June 25, 2011

How on earth is this secure? If my computer gets stolen or accessed the person needs only to click a button on any site and they're now logged in. This is more secure than me memorizing one password and not keeping it anywhere but in my head?

You can also password protect your laptop so that it can't be used if it's stolen.
posted by delmoi at 5:43 PM on June 25, 2011

You can also password protect your laptop so that it can't be used if it's stolen.

the problem with that is you can't then use something like Prey to find and recover the laptop.

as well as keeping all my confidential data encrypted, I have my laptop configured to auto-login to a non-privileged account. that way if it gets stolen, the thief will be able to connect to the internet and use it (but with no access to my data), and I can either find it or remotely nuke it.

the only downside is it takes me 2 extra keystrokes and ~5 seconds longer to log in when I turn it on. oh noes.
posted by russm at 8:03 PM on June 25, 2011

Would be nice if it told me *which* password was compromised. I'm certainly not changing all of them because this thing says so.
posted by tylerkaraszewski at 9:44 PM on June 25, 2011

tylerkaraszewski: "Would be nice if it told me *which* password was compromised. I'm certainly not changing all of them because this thing says so."

Word. The email that came up compromised is one I know was part of the Gawker breach.. but it'd be nice to know if any other accounts are nailed, too.
posted by ChrisR at 11:27 PM on June 25, 2011

My email address was also among the sixty thousand filched from Mt. Gox, and this service does show it as "compromised". But I do use KeePassX, and since both my Mt. Gox password and my Gmail password are and were unique, long and random, I'm not too fussed.

Google can have some marks for forcing me to change my Gmail password regardless. I'm glad they didn't make me jump through two-factor hoops, though.
posted by flabdablet at 3:10 AM on June 26, 2011

Lulzsec have decided that as their final act before 'disbanding', that they've dumped on torrents a whole ton of forum accounts, including natobooks and some 500,000 Battlefield Heroes beta accounts with weakly hashed passwords that have been reversed, i.e. the passwords are now in the clear.

You can search the list of Battlefield Heroes user accounts to see if you're on it here - it's literally just a text file of the usernames, or you can go grab the torrent with the hashed passwords. This site is also a list of all lulzsec public releases of email/usernames to date (passwords are not visible), but it's not fully up to date with the very latest leak today. If you're feeling paranoid on the latter, just put a partial email address or username in, and use your usual browser search option.

In my case, I'm not showing up, and looking at the raw dump (1,2,3) it looks like they've only cracked passwords of up to 6 lower case letters/numbers, so far, anyway.

I honestly don't remember which system it used, and whether it was tied into my EA profile account - though it is showing up there as a 'persona' (profile.ea.com). I've changed my ea profile password again just now, just in case. Fortunately, since it's entirely unique via lastpass (and 16 character mixed case with symbols and numbers), I don't have to change anything else this time.
posted by ArkhanJG at 10:45 AM on June 26, 2011

If you're wondering whether you should change your password, the answer is YES. Regardless of what a website says. Seriously, just change it.

And as some of the recent high-profile breaches have demonstrated, it's critical to have a different password for every site. Even if you just take your "regular" password and tack on (e.g.) the first three letters of that site's name.
posted by ErikaB at 10:42 AM on June 27, 2011